Apache Upgrade to fix vulnerabilities found by PCI DSS Scan


I've had a vulnerability scan run against my web server (for PCI DSS compliance) and they've come back with a handful of vulnerabilities. My Linode is running Ubuntu 12.04 LTS and Apache 2.2.22. It appears that most of the CVE's that were found on my server are fixed in later releases of Apache. Running apt-get update / apt-get upgrade –show-upgraded doesn't show anything new to install. I've seen on the apache website that 2.2.29 is the latest version and I assume this will fix all of the vulnerabilities on my server. How do I upgrade from 2.2.22 to 2.2.29?



(edit: updated the post title to make this more useful to others who come across the same issue in future!)

3 Replies

Your apache may already be 'patched'. Depending on the vulnerabilities listed by your test… they may not test for the patch… the test may just be looking for the 'version'

:arrow: http://serverfault.com/questions/533206 … -to-apache">http://serverfault.com/questions/533206/how-to-apply-security-update-to-apache


:arrow: http://serverfault.com/questions/568456 … e2-for-pci">http://serverfault.com/questions/568456/how-to-upgrade-apache2-for-pci

hope this helps. :)

Yes! Thanks for that. The second one of those links was spot on - exactly the vuln's the PCI scanner is claiming and, yes, on checking the "Detailed" section of my report, the "evidence" is simply version numbers. My Linode has apache2 2.2.22-1ubuntu1.7 and all the vulns were fixed in either 2.2.22-1ubuntu1.3 or 2.2.22-1ubuntu1.4.

Cheers MotoHoss!

Try changing "ServerTokens" to "Prod" (this hides the version number) and see how the scanner handles that :P


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct